FireEye research identifies link between Petya ransomware and Russian-based Sandworm Team

Cyber security firm FireEye has said it found links between a Russian-based hacking group, Sandworm Team, and the Petya ransomware attack that crippled IT systems globally last year.

Evidence analysed by FireEye iSIGHT Intelligence team, including details of a Sandworm Team ransomware campaign in March 2017 and technical data from a M.E.Doc update server, suggests a link between the Petya ransomware campaign and Sandworm Team, FireEye said in a statement.

Last week, the US and Britain directly implicated the Russian military of being directly behind a cyber-attack on Ukraine that spread globally last year. In the NotPetya attack, businesses with strong trade links with Ukraine, such as the UK's Reckitt Benckister, Dutch delivery firm TNT and Danish shipping giant Maersk were affected. The attack is estimated to have cost companies more than $1.2bn.

Petya and NotPetya are two related pieces of malware that affected thousands of computers worldwide in 2017. Both Petya and NotPetya aim to encrypt the hard drive of infected computers; while Petya is a standard piece of ransomware used to extract bitcoin payments from victims, NotPetya is widely believed to be a state-sponsored Russian cyberattack masquerading as ransomware. M.E.Doc is an accounting software maker implicated in spreading NotPetya malware.

Company Articles

John Hultquist, director of intelligence analysis at FireEye said the Russia-nexus cyber espionage group Sandworm Team has used malware several times against Ukrainian entities since the fall of 2015. The earliest variations simply wiped the victims' machines; however, in 2017 a ransomware component was introduced. “These prior attacks share features, including distribution through a compromised software provider and a wiper masquerading as ransomware, with the June 2017 Petya attack, supporting a link between Sandworm and Petya,” Hultquist added.

Sandworm Team is best known for causing two blackouts in Ukraine, and while their attention is often focused there, they have targeted systems in the West as well, Hultquist said. Previously, Sandworm Team was found to have penetrated several US utilities, suggesting a preparation for attack, he added.

Russia has dismissed the claims, terming them "baseless". The government has pointed out that Russian businesses were among those whose systems were affected. Ukraine has been locked in armed conflict with Russian-backed separatists since Moscow annexed Crimea in 2014.

UK Defence Secretary Gavin Williamson warned that the West had "entered a new era of warfare, witnessing a destructive and deadly mix of conventional military might and malicious cyber attacks".